Description of problem: SELinux denied access requested by libvirtd. Version-Release number of selected component (if applicable): ovirt-developer-appliance-0.91-1 libvirt-0.4.4-1.fc9 How reproducible: Always Steps to Reproduce: 1.SELinux in enforce mode 2.virsh start developer 3. Actual results: see attached selinux log Expected results: no SELinux warning Additional info:
Created attachment 310991 [details] alert against virtd_t
Created attachment 310992 [details] alert to qemu_t
I think this really need to be fixed in the SELinux policies, and since Ovirt is based on Fedora, that's should be in the Fedora Component. I doubt it should be processed in the isolation of the Virtualization tools components. So reassigning, Daniel
This is on Fedora 9
This is definitely fixed in selinux-policy-3.3.1-76.fc9 if not earlier. Please update to the latest SELinux policy.
I also have a getsched avc denial for libvirtd, (also qemu), slightly different error.. [root@macmini ~]# date Fri Jul 25 11:52:16 EST 2008 [root@macmini ~]# rpm -q selinux-policy selinux-policy-3.3.1-78.fc9.noarch -- meanwhile virt-manager is run and a prebuilt domain is attempted to be started -- [root@macmini ~]# tail -f /var/log/messages -n 5 Jul 25 11:51:55 macmini kernel: virbr0: port 1(vnet0) entering disabled state Jul 25 11:51:55 macmini kernel: device vnet0 left promiscuous mode Jul 25 11:51:55 macmini kernel: virbr0: port 1(vnet0) entering disabled state Jul 25 11:51:55 macmini setroubleshoot: SELinux is preventing libvirtd (virtd_t) "getsched" to <Unknown> (virtd_t). For complete SELinux messages. run sealert -l 575aa5fe-4e1d-4658-b018-0c3c30a775a7 Jul 25 11:52:15 macmini wmealing: test-test Jul 25 11:52:32 macmini kernel: device vnet0 entered promiscuous mode Jul 25 11:52:32 macmini kernel: virbr0: port 1(vnet0) entering listening state Jul 25 11:52:32 macmini kernel: kvm: guest NX capability removed Jul 25 11:52:32 macmini kernel: kvm: guest NX capability removed Jul 25 11:52:32 macmini kernel: virbr0: port 1(vnet0) entering disabled state Jul 25 11:52:32 macmini kernel: device vnet0 left promiscuous mode Jul 25 11:52:32 macmini kernel: virbr0: port 1(vnet0) entering disabled state Jul 25 11:52:32 macmini setroubleshoot: SELinux is preventing libvirtd (virtd_t) "getsched" to <Unknown> (virtd_t). For complete SELinux messages. run sealert -l 575aa5fe-4e1d-4658-b018-0c3c30a775a7 [root@macmini ~]# date Fri Jul 25 11:52:45 EST 2008
Please send me the complete output from the sealert command
Updated to selinux-policy-3.3.1-78.fc9.noarch, verified this issue has been fixed.